JP2002521720A - Circuits and methods for modulo multiplication - Google Patents

Abstract

(57) Summary The coprocessor 44 executes a mathematical algorithm that encrypts data and calculates a modular exponential equation to decrypt the data. Pipelined multiplier 56 receives the 16-bit data value stored in A / B RAM 72 and generates a partial product. The generated partial product is added in the adder 58 with the previous partial product stored in the product RAM 64. Modulo converter 60 aligns and adds binary data value N to the sum when a particular data bit position of the sum has a logical one value. N RAM 70 stores data value N added to the total value in modulo converter 60. The coprocessor 44 calculates the Foster-Montgomery conversion algorithm and converts the value of (A * B mod N) without having to first calculate the value of ↓ as required by the Montgomery conversion algorithm.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[Industrial applications]

 The present invention relates generally to multipliers, and more particularly, to cryptographic multipliers.

[0002]

[Prior art]

Rivest-Shamir-Adleman (RSA) is a widely used encryption algorithm that provides a high degree of confidentiality for digital data transfer between electronic devices. The modular exponentiation math of the RSA algorithm is
The calculation can be efficiently performed using the Montgomery method for modular conversion based on a hardware multiplier. Large integer modular exponentiation can be computed efficiently by repeating modular multiplication, and the overall efficiency of the RSA operation is directly related to the speed of the multiplier. The hardware multiplier architecture utilizes the Montgomery algorithm's massively balanced pipelined approach. Montgomery
A pipelined hardware multiplier that computes the algorithm can balance speed and silicon area, resulting in a high-performance, cost-effective solution. Also, pipelined integer modular multipliers allow for the reduction of power required in many applications.

[0003] Cryptographic systems facilitated by the RSA algorithm provide a high level of confidentiality, but are expensive to implement. The math of the RSA algorithm with modular exponentiation is simple and straightforward, but efficient hardware implementation is not. As the demand for faster cryptographic operations and higher performance increases, improvements in hardware modular multiplier architectures are needed to ensure a high degree of confidentiality.

Accordingly, it would be advantageous to have a high performance, low cost, low power modular power and multiply system for incorporation within an integrated circuit. There is a need for a multiplication system that achieves high performance by operating the Montgomery algorithm in fewer clock cycles than in prior art systems. Further, there is a need for a multiplication system that can accommodate operands with an increased number of bits.

[0005]

DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1 is a block diagram of a smart card 10 constructed to operate in a data communication network. In the “contact type” smart card structure, the smart card 10 has an interface (I / F) connected to several contact points 13.
) Block 12. The contact points 13 enable the transfer of electrical signals between a terminal (not shown) and the smart card 10. The smart card 10 receives an operating potential from a terminal device through one of the contact points 13 that supplies energy to functional blocks in the smart card 10. The input / output (I / O) signal is transferred between the smart card 10 and the terminal device by further utilizing the contact point 13.

Alternatively, the smart card 10 can be a “contactless” smart card that operates without making physical contact with the terminal device. In this case, the smart card 10 both receives the input signal on the carrier frequency and transmits the modulated output signal. For example, radio frequency (RF) energy is radiated to a coil (not shown) within the smart card 10 and the coil provides an operating potential that enables operation of functional blocks within the smart card 10.

[0007] In addition to an I / F block 12 for transmitting and receiving data to and from an external terminal device, the smart card 10 includes a universal asynchronous receiver-transmitter device (UART: Universal Asynchronous R).
eceiver-Transmitter device) 14. The UART 14 serves as an interface between the microprocessor 18 and the terminal device. The interface block, UART, receives an adjustable clock signal from a baud rate generator 16 that moves data dynamically through UART. The system bus 15 generally includes a microprocessor 18, a UART 14, a random access memory (RAM) 20.
, Read-only memory (ROM) 22, memory access controller (MAC: Memory)
Access controller (24) and Secure Memory Management Unit (SMMU)
y Management Unit) 28 and other functional blocks. Data received from the UART 14 is stored in a RAM 20, and a portion of the RAM 20 is non-volatile and retains information when the smart card 10 is not receiving an operating potential. Examples of non-volatile memories include, in particular, electrically erasable (E ² ) memories or high-power memories. ROM 22 provides data and instructions for the operating system of smart card 10 via a system bus for program control of microprocessor 18. Data from RAM 20 is MAC 24
To the Foster-Montgomery Hardware Accelerator (FMHA) 26 where mathematical operations are performed to encrypt the data. The FMHA 26 is also called a modular arithmetic unit (MAU) or a cryptographic accelerator block. The encrypted data is sent from the FMHA 26 to the system bus 1
5 to the UART 14 and the terminal device.

Note that the smart card 10 shown in FIG. 1 is in a simplified form. Further, note that smart card 10 is a computer chip embedded inside a plastic credit card that operates in both a "contact" mode and a "contactless" mode. In particular, serial communication interface block, watchdog timer, interval
Other blocks, such as a timer and an interrupt controller, can be added to the smart card 10 as functional blocks.

In operation, the smart card 10 opens a secure communication link for data transmitted between the smart card 10 and the terminal. Under the control of the microprocessor 18, the SMMU 28, MAC 24 and FMHA 26 work together to calculate a modular exponentiation equation for encrypting a portion of the data stored in the RAM 20 using the encryption key and other information. Execute a mathematical algorithm. By way of example, RAM 20 stores personal health records, financial records, and personal identification identifiers, such as fingerprints and retinal eyeprints. The personal data is transferred from the RAM 20 to the MAC 24 via the system bus 15 and from the MAC 24 to the FMHA 26 via the data host bus 25.
Is forwarded to FMHA 26 encrypts data received on data host bus 25 using functions including modular multiplication, addition, subtraction and exponentiation. After data encryption, the encrypted personal data is transferred from FMHA 26 to UART 14 and I / F block 12. Encrypted personal data is transmitted via RF signals for contactless smart cards and 1 for contact smart cards.
Released to the terminal through a set of I / O pins.

FIG. 2 is a diagram showing data exchanged with an integrated circuit including an FMHA block via the Internet. A keyboard 30 provides a user with an interface for inputting data to a central processing unit (CPU). The monitor 32 is
It allows a user to visually display data stored in CPU. The integrated circuit 36 has an encryption circuit configuration for executing the Foster-Montgomery algorithm. Data stored in the CPU 34 is transmitted to the integrated circuit 36 via a data bus.
The encrypted data is transferred to the Internet 38. Data received via the Internet 38 can be transferred to the integrated circuit 36 and decrypted. Thus, FIG. 2 illustrates an encryption system that interfaces to a communication network such as the Internet.

FIG. 3 is a block diagram showing functional blocks included in the FMHA 26 of FIG. Note that the same reference numbers are used in the drawings to indicate the same elements.
Note further that the Foster-Montgomery algorithm forms the product of operands A and B. However, each of the operands A and B is a large integer such as a 1024-bit number. By the pipeline method used by the FMHA 26, the operands A and B can be divided into a plurality of regular 16-bit numbers called digits. The digits include 16 bits of data, but this is not a limitation of the present invention. Further, each divided number in the set of operand A numbers is referred to as a value A. Similarly, each divided number in the set of operand B numbers is represented by the value B
Call. Examples of the value A are A ₀ , A ₁ ,... A ₆₃ , and examples of the value B are B ₀ , B _{1 ,.} The host interface (I / F) block 40 receives the value A and the value B from the RAM 20 via the data host bus 25 (FIG. 1). Values A and B are A / B random
It is stored in an access memory (RAM) 72. The I / F block 40 also receives control signals from the host processor or microprocessor 18 (FIG. 1),
These signals are converted to host control signals by a control circuit 74 for controlling data transfer in the FMHA 26.

The control circuit 74 has a terminal connected to the output of the host I / F block 40 via a bus called the data bus 41. The control circuit 74 receives control signals from the host processor and generates signals that control interaction between the host I / F block 40 and other blocks in the FMHA 26.

The digit negation unit (DNU: Digit Negation Unit) 42
It has an input connected to the output of the host I / F block 40 via the data bus 41. The value B is received from the A / B RAM 72 on the data bus 41 at the input of the DNU 42 and transferred to the terminal 46 of the coprocessor 44 or
And is transferred to the terminal 46. The coprocessor 44 also has a terminal 48 connected to the data bus 41 for receiving the value A from the A / B RAM 72.
The terminals 50, 52 of the coprocessor 44 are coupled to receive the partial product value and the value N, respectively. Operand N is the coefficient of all operations and defines the bounds for which mathematical calculations are valid. The range of possible numbers is therefore limited by the coefficients.

The coprocessor 44 calculates a Foster-Montgomery modular conversion algorithm. Coprocessor 44 includes a multiplier 56 having a first input connected to terminal 46 and a second input connected to terminal 48. Adder circuit or adder 58 has a first input connected to the output of multiplier 56 and a second input connected to terminal 50 of coprocessor 44. Modulo converter 60 has a first input connected to the output of adder 58, and a second input connected to terminal 52 of coprocessor 44. Latch 62 has an input connected to the output of modulo converter 60, and an output connected to terminal 54 of coprocessor 44. The latch 62 is connected to the coprocessor 4
4 may not be required for certain embodiments, and terminals 46, 48, 50,
52, etc., may or may not be included.

An output terminal of coprocessor 44 is connected to an input of product RAM 64. Product RAM 64 provides a temporary storage location for intermediate data values generated by coprocessor 44. By way of example, product RAM 64 has two separate RAMs, an even memory and an odd memory, which allow for double access within a single cycle. For example, during one cycle, the even memory supplies the data needed during the next calculation involving the coprocessor 44 and the odd memory stores the coprocessor 44 in the previous calculation.
Stores the data generated by. In the next cycle, the odd memory is
4 provides the necessary data during the next calculation involving, and the even memory stores the data generated by coprocessor 44 in the previous calculation. In this way, the even and odd memories alternate between read and write modes each cycle, and neither memory is in read or write mode during the same cycle. product
Both the even and odd memories of RAM 64 are organized into 32 rows, each storing 16 bits of data (digits).

The output of the product RAM 64 is a data switch unit (DSU).
68 is connected to a first input. A second input of DSU 68 is connected to data bus 41. The output of DSU 68 is connected to terminal 50 of coprocessor 44. Thus, either the data from data bus 41 or the data from product RAM 64 is selected in DSU 68 as a partial product value and transferred to terminal 50 of coprocessor 44. The data from the product RAM 64 can also be transferred to the data bus 41.

N RAM 70 is connected to data bus 41 and has an input for receiving coefficient values for the number system used by coprocessor 44. N RAM 70 has, for example, 1
It is organized into 64 rows that store 6 bits of data. An output of the N RAM 70 is connected to a first input of a digit compare unit (DCU) 66. A second input of DCU 66 is connected to data bus 41. The output of DCU 66 is connected to terminal 52 of coprocessor 44. Thus, either data from the data bus 41 or data from the N RAM 70 is selected as the value N in the DCU 66 and transferred to the terminal 52 of the coprocessor 44. Data is stored in N RAM7
0 can be transferred to the DCU 66 via the data bus 41.

An A / B RAM 72 having an A section and a B section is connected to the data bus 41 and receives source operands for mathematical operations. For example, A / B
The RAM 72 stores all digits of the first operand having 1024 bits in the A section, that is, 64 digits of the value A of the operand A to be split. Similarly, the A / B RAM 72 stores all of the digits of the second operand having 1024 bits in the B section, ie, 64 digits of the value B of the operand B to be split. In this way, the A / B RAM 72 stores the 64 digits of the value A transferred to the terminal 48 of the coprocessor 44 and the value B transferred to the input of the DNU 42.
And 64 digits are stored. Alternatively, the A / B RAM 72 may be two separate memories, one for storing operand A and one for storing operand B. Further, in the present invention, the B section of the A / B RAM 72 stores the final product of the multiplication of the operands A and B after the end of the encryption operation. The output of product RAM 64 is transferred to data bus 41 in DSU 68 once the final product has been calculated. The host I / F block 40 can transfer the final product, that is, the encrypted data stored in the B section of the A / B RAM 72 to the data host bus 25.

The FMHA 26 performs multiplication of operands A and B for encryption and decryption. Operands A and B are numeric data or an American Standards Code Information Exchange Standard Code (ASCII).
nge)) or any other text string that is converted to an ordinal utilizing another converted character set. The FMHA 26 treats this data as a binary integer whole number. The Montgomery conversion algorithm for modular multiplication is
Takes the form: (A * R mod N) (B * R mod N) + ↓ * N where: A is an integer in the first operand; B is an integer in the second operand; N is an integer having an odd value; mod N is the remainder of (A * B * R) that defines the bounded number of elements; R is an integer power of 2 having a value greater than the value of N; and ↓ is (A * R mod N) (B * R mod N) + ↓ * is a conversion value calculated so that N is an integer that can be divided by R without losing the upper bits.

In one example utilizing the FMHA 26 concept, two 1024-bit operands are multiplied using a pipelined approach and multiple passes or rotations within coprocessor 44. At this time, the two 56-bit binary numbers are multiplied by the multiplier 56. However, the invention is not limited to 1024-bit operands or hardware multipliers that multiply two 16-bit binary numbers. For simplicity, the Foster-Montgomery modular conversion algorithm will be described using the following example of multiplying two small numbers. The Montgomery method uses operand A
, B are pre-multiplied by R to convert to Montgomery format and hardware.
Simplify modular conversion problems.

Using the base 2 number, the terms (A * R mod N) are: A ₁₀ = 9, R ₁₀ = 16 and N ₁₀ = 13
Has a value of 0001. Further, the term (B * R mod N) is B ₁₀ = 11, R ₁₀ =
It has a value of 0111 when 16 and N ₁₀ = 13. In the following example, the foster
The Montgomery conversion algorithm is used for multiplication of (A * R mod N), that is, (0001) and (B * R mod N), that is, (0111).

The multiplier 56 multiplies two data values, and the product of these data values is added to an adder 58
Is forwarded to The adder 58 generates a total value of the previous partial product and the product generated from the multiplier 56. In the Foster-Montgomery conversion algorithm, the logical value of a particular bit position in the sum determines whether the sum should be converted. Initially, a particular bit position is in the rightmost bit position, ie, the least significant data bit of the first sum. Multiplying the value of the bit position of the second data value by the first data value, ie, after bit multiplication, moves the particular bit position one bit position to the left. Thus, each time a bit multiplication is generated, a particular bit position in the sum is shifted one bit position to the left. That is, it moves from the least significant bit position to the most significant bit position.

In the Foster-Montgomery conversion algorithm, when the data bit value at a particular bit position has a logical 1 value, the value of N is matched to the particular bit position by a shift operation and added to the sum. Is done. By checking the logical value at a particular bit position for each bit multiplication and properly matching and adding the value of N, each partial product produced at the output of coprocessor 44 is Converted appropriately. On the other hand, the value of N is not added to the sum if the data bit value at a particular bit position has a logical zero value. A logical zero value indicates that the value at the particular bit position has already been converted and that some multiple of N is not a component of (.

In this example, the multiplier 56 calculates the value (A * R mod N), that is, (0001) and the value (B * R m
od N), that is, the product of (0111). The first bit multiplication is generated by multiplying the value (0001) by the least significant bit of (011 1 ), that is, a logical 1 value. For each multiplication that produces a bit multiplication, the result is summed with the stored partial product. Note that the first sum value and the bit multiplication have equal values because the stored partial product is initially zero.

(1) 0001 ← Initial value (A * R mod N) (2) Least significant bit of x 0001 ← (B * R mod N) (3) 0001 ← First bit multiplication Using Foster-Montgomery conversion algorithm The logical value of the data at a specific bit position of the total value determines whether the value of N should be added to the total value to convert the generated partial product. In this example, the least significant bit of the first bit multiplication (000 1 ) has a logical one value, so the value of N (4) is the first bit multiplication (3)
Is added to

(3) 0001 ← product of first bit multiplication (4) + 1101 ← value of N (5) 1110 ← result after conversion of first bit The second bit multiplication is performed by adding (B * R mod N) from the right of the second bit (0
Multiply 1 1 1).

(1) 0001 ← Initial value (6) x00 10 ← The second bit from the right of (B * R mod N) (7) 0010 ← Product of second bit multiplication Product (7) ) Is added to the stored previous result (5),
Generate a second sum (8).

(7) 0010 ← The product of the multiplication of the second bit (5) 1110 ← The result after the conversion of the first bit (8) 10000 ← The second sum value In this case, the second sum is also used in the Foster-Montgomery conversion algorithm The logical value of a particular bit position of the value determines whether to convert the second sum. In this case, the particular bit position is the position to the left of the least significant data bit (100 0 0)
It is. The second data bit has a logical zero value, so the value of N is not added to the second sum. In other words, the second sum has already been converted and does not require the addition of the shifted N values.

In the third bit multiplication, (1) is added to the third bit from the right of (B * R mod N) (0 1
Multiply the logical value located in 11).

(1) 0001 ← Initial value (9) x00 0 1 ← Third bit from the right of (B * R mod N) (10) 0100 ← Product of third bit multiplication After the third bit multiplication, The product of the third bit multiplication (10) is the previous result (8)
To obtain a third total value (11).

(10) 0100 ← The product of the third bit multiplication (8) +10000 ← Previous result (11) 010100 ← Third total value The product (10) of the third bit multiplication is added to the previous result (8) Thereafter, the logical value at a particular bit position in the third sum determines whether the sum should be converted. In this example, the specific bit position is the third bit position from the right (010 1 00).
When a particular bit position of the third sum has a logical one value, the value of N is aligned to the third particular bit position and added to the third sum. On the other hand, if the third specific bit position of the third sum has a logical zero, the value of N is not added to the third sum. In this example, the third bit position (10 1 00) from the right of the third sum has a logical 1 value, and the value of N is aligned with the third bit position from the right and added to the third sum. Is done.

(11) 010100 ← Third Total Value (12) + 1101 ← Correctly Matched N Value (13) 1001000 ← Result of Third Bit Conversion The generation of the fourth bit multiplication is performed by adding (B) to (1). * R mod N) is multiplied by the logical value located in the fourth bit ( 0 111) from the right.

(1) 0001 ← Initial value (14) x000 0 ← Fourth bit from the right of (B * R mod N) (15) 0000 ← Product of fourth bit multiplication After the fourth bit multiplication, The product of the 4-bit multiplication (15) is the previous result (13
) To obtain a fourth total value (16).

(15) 0000 ← The product of the fourth bit multiplication (13) 1001000 ← Previous result (16) 1001000 ← Fourth total value The fourth specific bit position of the fourth total value (16) is logic 1 or logic 0 The value is checked. For this example, the fourth specific bit position of the fourth sum (16) is the fourth bit position from the right (100 1 000). In this example, 4
The fourth bit position (100 1 000) has a logical 1 value, so the value of N is aligned with the fourth bit position from the right and added to the fourth sum.

(16) 01001000 ← Fourth Total Value (17) + 1101 ← Correctly Matched N Value (18) 10110000 ← Fourth Bit Conversion Result (A * R mod N) and (B * R mod N) ) That is, the product of (0001) and (0111) is
It has a value of (A * B * R ² mod N), that is, (1010000). (A * B * R ² mod N
) Divided by R gives (A * B * R mod N), that is, (1011). Note that the value of R is chosen as an integer multiple of base 2. In other words, R is 2 ¹ ,
2 ^2, 2 ^3,. . . , 2 ^I, etc. Here, I is an integer. For example, R is selected to have a value of 2 ^4. Usually, R represents is selected to have a value of 2 ^S. Here, S is the number of bits of the coefficient N. For this reason,
The operation of dividing by R is performed by a simple operation of shifting the product rightward I times. Furthermore, the value (A * B * R mod N) after division by R is in Montgomery format, that is, (value * R) mod N. The value in Montgomery format (A * B * R mod N) allows for multiple passes within coprocessor 44. When the values of A, B, R, and N are large, (A * R mod N) and (B * R mod N)
) Is an efficient way to multiply

In contrast to the Montgomery conversion algorithm, the value of ↓ in the Foster-Montgomery conversion algorithm is not calculated before multiplication of the two operands, but as shown in the above example, each bit multiplication is Conversion is performed after summing up the results. Note that the value of N is odd, that is, the value of N has a logical one at the least significant bit position. By adding N to the sum when the logical value at a particular bit position has a logical one value, the value (A * B * R ² mod N) has some zeros at lower bit positions. Generated. In other words, the Foster-Montgomery conversion algorithm assigns a logical 0 value to at least the number I of the least significant bit position.

After the operation through the coprocessor 44 where the data is in the form (A * B * R mod N)
Is the desired final form for the data is (A * B mod N). Example (A * B * R m
od N) is (1011). The value (A * B * R mod N) is ready for division by R
Is converted. To convert (A * B * R mod N), the least significant bit position of N is calculated as (A * B * R mod N).
 N) is to match the rightmost bit position with a logical 1 of the value. As an example
Thus, the value (A * B * R mod N) has a logical 1 value in the rightmost bit position (101
1). After correctly matching the value of N and summing with (A * B * R mod N), the first bit conversion
The calculated sum has a value of 11,000.

(19) 1011 ← (A * B * R mod N) value (20) + 1101 ← N value (21) 11000 ← New total value after first bit conversion The conversion of the new total value is N To the rightmost bit position (1 1 000) of the new sum value having a logical 1 value. The value after the second bit conversion is (10000000).

(21) 11000 ← value after conversion of first bit (22) +1110 ← value of N (23) 10000000 ← value after conversion of second bit The number of bits I at the least significant bit position has a logical 0 value At this time, the value of (A * B * R mod N) is converted and prepared for division by R. In other words, the operation of dividing by R changes to an operation of shifting the converted total value rightward I times. However, I is 4 in this example.

(23) 10000000 ← Value after conversion to second bit (24) Divide by R or shift right I times.

Thus, after division by R, the data to be encrypted has a value of (1000) and the Foster-Montgomery conversion algorithm uses the multiplication of (A * B * R mod N) × (A * B mod N) Used for Steps 19-24 of this example perform a division by R, which yields the value (A * B * R
mod N) is converted to (A * B mod N). In practice, this final division by R is performed by multiplying (A * B * R mod N) by one for conversion.

In operation, A / B RAM 72 stores operand A having 64 values, ie, A ₀ , A ₁ ,... A ₆₃ , and 64 values, ie, B ₀ , B _{1 ,.} With the operand B having, it is loaded through the host I / F block 40. 1024-bit operand A is 6
Four digits A ₆₃ -A ₀ are included. However, each digit has 16 bits of data. Thus, section A of A / B RAM 64 has 64 rows and 102
The entire 4-bit operand A can be stored, and the B section of the A / B RAM 64 has 64 rows and can store the entire 1024-bit operand B. Further, the N RAM 70 is loaded through the host I / F block 40 and the N ₆₃
Having 1024 bits are divided into 64 digits of to N _0.

Multiplier 56 operates on the data one digit at a time. Thus, the multiplication of operands A and B for encryption or decryption begins by transferring the lower digits of values A, B and N to coprocessor 44. The terminal 48 digits A ₀ coprocessor 44, the terminal 46 of the coprocessor 44 is the digit B _0, the terminal 52 of the coprocessor 44 receives the digit N _0. The product of the values A ₀ and B ₀ is calculated by multiplier 56 and the 16 least significant data bits are input to adder 58. The 16 most significant bits are temporarily stored in the transport chain of the multiplier 56.

The adder 58 adds the 16 data bits received from the multiplier 56 to the 16 data bits (initially 0) stored in the product RAM 64 to generate a total value. Modulo converter 60 receives the 16-bit sum from adder 58 and digit N ₀ from N RAM 70. In the Foster-Montgomery conversion algorithm, the logical value of a specific bit position of the total value determines whether to convert the total value. The modulo converter 60 starts with a particular bit position as the least significant bit position, and then moves the particular bit position one bit position to the left for each subsequent bit multiplication. In other words, a particular bit position starts with the least significant bit and is indexed with each bit multiplication toward the most significant bit position. At a particular bit position
Correctly matching the value of N _0, by adding N ₀ to the total value, the first partial product obtained by multiplying the value A ₀ and B ₀ are converted, it has a value of 0. The partial product generated by the modulo converter 60 is stored in the product RAM 64. The 16-bit value of ↓ is determined according to the logical value found at a specific bit position, and stored in the modulo converter 60.

To generate a second partial product, the new binary value B ₁ is transferred from the A / B RAM 72 to the coprocessor 44 and multiplied by the value A ₀ . Multiplier 56 calculates the product of the values A ₀ and B _1, and the 16 least significant data bits are input to adder 58. The adder 58 converts the 16 data bits received from the multiplier 56 into 16 data bits stored in the product RAM 64.
Add to the bit (initially 0) to generate the sum. Modulo converter 60 receives the 16-bit sum from adder 58 and digit N ₁ from N RAM 70. The modulo converter 60 converts the total value from the adder 58 by using the value of N ₁ and the value of ↓ determined by the generation of the first partial product, and converts the total value from the second partial product. Generate The second partial product is stored in the product RAM 64.

To complete the generation of the partial products in the first group, the values B _{2 to} B ₆₃ from the A / B RAM 72 are sequentially transferred to the coprocessor 44 and multiplied by the value A ₀ . Using the same value of ↓, the modulo converter 60 generates the remaining partial products from the N RAM 70 using the corresponding values of N _{2 to} N ₆₃ . The partial product is stored in the product RAM 64.

A₀Digit B₀~ B₆₃Completing the partial product of 64 obtained by multiplying_Two
Digit B₀~ B₆₃Are multiplied to generate a second group of 64 partial products. A ₁ , B₀In generating the partial product of, A₁Used to generate the remaining partial product containing
Note that the value of ↓ is determined. In addition, the remaining groups of the partial product
A_TwoDigit B₀~ B₆₃And A_ThreeDigit B₀~ B₆₃. . . A₆₃Digit B₀
~ B₆₃Is multiplied by B₀When the partial product related to is generated, the value of ↓ is determined
Set for each group. Digit B₀Is the value of the terminal 46 of the coprocessor 44.
The value of ↓ is determined and set when the
Note that the product is scaled to have a value of zero. Each group is N₀~ N₆₃Pair of
The response value is also used.

FIG. 4 is a block diagram of a part of the modulo converter 60. Modulo converter 60 is described in simplified form as a 4x4 array of adders for simplicity. In the preferred embodiment, the modulo converter 60 comprises an adder array having 16 rows and 16 columns. Note that matching the number of rows in the adder array to the number of columns is not a limitation of the present invention. Coprocessor 44 can operate within the adder array of non-square modulo converter 60.

The adder array of the modulo converter 60 has X columns and Y rows. Here, X and Y are integers. Column X ₀ is the first column and includes adders 90, 92, 94 and 96. X ₁ is the second column, an adder 100, 102, 104, 106. Column X ₂ is the third column, an adder 110, 112, 114. Column X ₃ is the fourth column, an adder 120, 122, 124, 126. Adders 90 to 96, 100
Each of -106, 110-116, 120-126 has first and second data inputs, a carry input (CI), a carry output (CO), and a total output (S).

The first inputs of adders 90, 92, 94, 96 in column X ₀ are terminals 80, 82, respectively.
, 84, 86. Two-input AND gates 89, 91, 93, 95 are connected together and have a first input connected to the Q output of latch 128. Outputs of the AND gates 89, 91, 93, and 95 are added to adders 90, 92, 94, and 96, respectively.
Is connected to the second input. The transport output (CO) of the adder 90 is supplied to the transport input (CI) of the adder 92, and the transport output of the adder 92 is supplied to the transport input of the adder 94.
The transport output of 4 is connected to the transport input of adder 96. The carry output of adder 96 is connected to the data input of latch 152. The output of the latch 152 is
Is connected to the transport input.

The first input of the adders 100, 102, 104, 106 of column X _{1 is} the adder 9 of column X ₀
0, 92, 94, 96 are connected to the individual outputs. 2-input AND gate 99, 10
1, 103 and 105 are connected together and have a first input commonly connected to the Q output of the latch 132. Outputs of the AND gates 99, 101, 103, and 105 are connected to second inputs of adders 100, 102, 104, and 106, respectively.
The transport output of the adder 100 is connected to the transport input of the adder 102, the transport output of the adder 102 is connected to the transport input of the adder 104, and the transport output of the adder 104 is connected to the transport input of the adder 106. The carry output of adder 106 is connected to the data input of latch 156. The output of latch 156 is connected to the carry input of adder 100.

[0052] The first input of the adder 110, 112, 114, 116 columns X ₂ includes an adder 1 column X ₁
00, 102, 104, 106. 2-input AND gate 1
09, 111, 113, and 115 are connected together and have a first input commonly connected to the Q output of latch 136. AND gates 109, 111, 113,
The output of 115 is connected to second inputs of adders 110, 112, 114, 116, respectively. The transport output of the adder 110 is the transport input of the adder 112, the transport output of the adder 112 is the transport input of the adder 114, and the transport output of the adder 114 is
Connected to the transport input of adder 116. The transport output of adder 116 is latch 160
Connected to the data input. The output of latch 160 is connected to the transport input of adder 110.

The first input of the adders 120, 122, 124, 126 of column X _{3 is} the adder 1 of column X ₂
10, 112, 114, 116 are connected to the individual outputs. 2-input AND gate 1
19, 121, 123, and 125 are connected together and have a first input commonly connected to the Q output of latch 140. AND gates 119, 121, 123,
The output of 125 is connected to second inputs of adders 120, 122, 124, 126, respectively. The transport output of the adder 120 is connected to the transport input of the adder 122, the transport output of the adder 122 is connected to the transport input of the adder 124, and the transport output of the adder 124 is connected to the transport input of the adder 126. The carry output of the adder 126 is
Connected to the data input. The output of latch 162 is connected to the carrier input of adder 120. The outputs S of the adders 120, 122, 124, 126 are connected to individual output terminals 164, 166, 168.170.

Further, the second inputs of the AND gates 89, 101, 113, and 125 are connected to each other and commonly connected to the input terminal 81. The second inputs of the AND gates 91, 103, and 115 are connected to each other, and are further commonly connected to the input of the latch 158 and the input terminal 83. The second inputs of the AND gates 93 and 105 are connected to each other, and are further commonly connected to the input of the latch 154 and the input terminal 85. A second input of the AND gate 95 is commonly connected to the input of the latch 150 and the input terminal 87. AND gate 99,1
The second inputs of 11 and 123 are connected to each other and commonly connected to the output of the latch 150. The second inputs of the AND gates 109 and 121 are connected to each other.
Commonly connected to 54 outputs. A second input of AND gate 119 is connected to the output of latch 158.

Each of the latches 128, 132, 136, and 140 has a set input (S), a reset input (R), and an output (Q). Latches 128, 132, 136, 1
40 is enabled when signal T is high and the signal at output Q has the same value as the signal at input S. The signal at output Q is latched when signal T transitions from a high logic value to a low logic value. The signal at input R resets the signal at output Q. Latch 12
The reset inputs R of 8, 132, 136, 140 are commonly connected to each other and to the terminal 79. Terminal 79 is coupled to receive reset signal R. 2-input AN
D-gate 130 has an output connected to the set input of latch 128. A first input of AND gate 130 is connected to a first input of adder 90. Two-input AND gate 134 has an output connected to the set input of latch 132. AND gate 1
A first input of 34 is connected to a first input of adder 102. 2-input AND gate 13
8 has an output connected to the set input of latch 136. AND gate 138
Is connected to the first input of adder 114. Two-input AND gate 142 has an output connected to the set input of latch 140. A first input of AND gate 142 is connected to a first input of adder 126. AND gate 130, 134, 1
The second inputs of 38, 142 are connected together and are commonly connected to terminal 78. Terminal 78 is coupled to receive signal T.

In operation, modulo converter 60 provides a multiplier 56 via adder 58 (FIG. 3).
Receives input from and generates a reduced partial product. In the example above, the number 0001
And 0111 are multiplied using the Foster-Montgomery conversion algorithm.
As described above, the logical value of a particular bit position determines whether the value of N is matched to the sum and added. When the logic value of a particular bit value has a logic one value, the architecture of the modulo converter 60 shifts the value of N to match and add to the sum value. Thus, the value of ↓ can be determined and stored in the latches 128, 132, 136, 140 according to the architecture of the modulo converter 60. In other words, the value of ↓ is not determined before the multiplication of digits A and B, but is determined during the multiplication of specific digits of A and B.

The latches 128, 132, 136 and 140 are reset by the signal R,
The output has a logical zero value. The value 0111 is generated by the multiplier 56 and
8 to the terminals 80, 82, 84, 86. AND gate 130 receives the least significant data bit of the sum from terminal 80 and causes latch 128 to be set with a logic one signal T. That is, the signal of the Q output has a logical 1 value. Note that signal T has a logical 1 value while B ₀ is provided to multiplier 46 and the value of N ₀ is provided to modulo converter 60. When the signal T transitions to a logic one force logic zero value, the logic values of the data in the latches 128, 132, 136, 140 are latched. The value of N ₀ is provided at terminals 81, 83, 85, 87, where N ₀ has a value of 1101 in the above example. N ₀ least significant data bits are provided at terminal 81.

The AND gates 89, 91, 93 and 95 are connected to the Q of the latch 128 having a logical 1 value.
It is enabled by a signal at the output. Therefore, the terminals 81, 83, 85,
The values of N ₀ received at 87 are forwarded to the second inputs of adders 90, 92, 94, 96, respectively. Adder 90 having a logic one at the first and second inputs provides a sum output signal at output S having a logic zero value. Further, the adder 9
0 generates a carrier signal at the output CO. Adder 92 receives a logical zero value at a first input in response to the logical zero value of terminal 83. When a logical one value is received at the second input of adder 92 and a logical one value is received for the carrier signal at input CI,
The sum signal at output S has a logic zero value and the carrier signal at output CO has a logic one value.

Adder 94 receives a logic one from AND gate 93 at a first input and a logic one from terminal 84 at a second input. The sum output S of the adder 94 has a logic one value, and the carrier output signal has a logic one value at the carrier output CO. Similarly, adder 9
6 receives a logic one from the AND gate 95 at a first input and a logic one from the terminal 86 at a second input. The sum output S of the adder 96 has a logical 0 value, and the carry signal of the carry output CO has a logical 1 value. Thus, adders 90-96 produced a value of 0100 in response to receiving the sum of multiplier 56 through adder 58. Further, a particular bit position, the least significant bit position, has a logical one value, and the value one has been matched and added to the sum by the Foster-Montgomery conversion algorithm.

The data generated by the adder in column X ₁ has a data-dependent value at a particular data bit position. The specific data bit position in this case is
This corresponds to the output S of the adder 92. Note that AND gate 134 receives a logical zero value from the sum signal at output S of adder 92. Latch 132 is not set and the Q output of latch 132 remains at a logic zero value. AND gate 99, 10
1, 103 and 105 generate logic 0 values at the second inputs of the adders 100, 102, 104 and 106, respectively. Adder 100 has a logic zero value at both the first and second inputs and produces a logic zero value at output S. Similarly, the adder 10
2 has a logic zero value at both the first and second inputs and produces a logic zero value at the output S. The adder 104 has a logical 0 value at a first input and a logical 1 value at a second input, and generates a logical 1 value at an output S. Adder 106 has a logical zero value at both the first and second inputs and produces a logical zero value at output S. Thus, the adder in column X ₁ produces the value 0100.

The data generated by the adder in column X ₂ also has a data-dependent value at a particular data bit position. The AND gate 138 outputs the output S of the adder 104.
Note that a logic one value is received from the sum signal at. Latch 136 is set and the Q output of latch 136 has a logic one value. AND gate 109, 1
11, 113 and 115 are enabled by a logic 1 value generated by latch 136. That is, the output data of the adders 100, 102, 104, and 106 are transferred to the first inputs of the adders 110, 112, 114, and 116, respectively. Adder 110 has a logical zero value at both the first and second inputs and produces a logical zero value at output S. Similarly, adder 112 has a logical zero value at both the first and second inputs and produces a logical zero value at output S. Adder 114 has a logic one value at both the first and second inputs, produces a logic zero value at output S, and a logic one value for the carrier output signal at output CO. Adder 116 has a logical 0 value at both the first and second inputs, a logical 1 at the carry input, and produces a logical 1 value at output S. Thus, the adder in column X ₂ generates the value 1000.

The data generated by the adder in column X ₃ also has a data-dependent value at a particular data bit position. Note that the particular data bit in this case is a logical value at the output of adder 116. AND gate 142 receives a logical 1 value from the sum signal at output S of adder 116. Latch 140
Is set, and the Q output of latch 140 has a logical 1 value. AND gate 109,
111, 113, and 115 are enabled by the logic 1 value generated by the latch 140. That is, the output data of the adders 110, 112, 114, and 116 are transferred to the first inputs of the adders 120, 122, 124, and 126, respectively.
Adder 120 has a logical zero value at both the first and second inputs and produces a logical zero value at output S. Similarly, adder 122 has a logic zero value at both the first and second inputs and produces a logic zero value at output S. Adder 124 also has a logic zero value at both the first and second inputs and produces a logic zero value at output S. Adder 126 has a logic one value at both the first and second inputs and produces a logic one value at the carry output as the carry output. Thus, the adder in the column X ₃ is the value 000
Generate 0.

After the adders in columns X ₀ , X ₁ , X ₂ , and X ₃ have converted the partial product values for the digits of A, digits B ₀ and N ₀ , the value of ↓ is Note that it is determined to be used. Specifically, during the conversion process that causes the first partial product of each group to have a value of zero, the appropriate latches 128, 132, 136, 140 are set and have a value for ↓. After the conversion of the first partial product to 0, the signal T transitions from a logical 1 to a logical 0 value and stores the value of ↓ in the latches 128, 132, 136, 140.
The stored value of ↓ and the corresponding value of N _{1 to} N ₆₃ are used when the digit of A is multiplied by the digits B _{1 to} B ₆₃ in the multiplier 56.

As an example, the 16 least significant data bits for the product of digits A ₀ and B ₀ are converted to 16 logic zero bits by modulo converter 60 using the value N ₀ . The modulo converter 60 determines and stores a ↓ value for converting the first partial product to a zero value. Multiplier 5
6 stores the most significant data bit used in generating the next partial product for the values A ₀ and B ₁ . Modulo conversion unit 60 uses the value of the stored value and N ₁ of ↓, generating a second partial product. Another product for A ₀ and B ₂ -B ₆₃ is generated by multiplier 56 and converted in modulo converter 60 using the stored value of ↓ and the values of N ₂ -N ₆₃ .

The modulo converter 60 determines and stores a first partial product of the second group, that is, a new value of ↓ that causes the product of A ₁ and B ₀ to be converted to a zero value. This new value of ↓ is B _{0 to} B _{63 in} A ₁
Is used to generate a group of partial products multiplied by. Thus, following the generation of all partial products in one group, the new value of ↓
Determined by 0. Note that the first partial product generated for each group is scaled to have a zero value by the new value of ↓.

FIG. 5 is a block diagram of a portion of a modulo converter 60 combined with a multiplier 56 used in the coprocessor of FIG. The multiplier structure or merged Foster-Montgomery (FM) multiplier 171 is described in simplified form as a 4x4 array of adders for simplicity. The merged FM multiplier 171 is described as an adder array having the same number of rows and columns, but this is not a limitation of the present invention. Note that the main functions of multiplier 56, adder 58, and modulo converter 60 of FIG. 3 are all performed by merged FM multiplier 171.

The form of the merged FM multiplier 171 shown in FIG. 5 is the same as the form of the modulo converter 60 shown in FIG. Combined FM multiplier 171 is also modulo converter 6
0. The adders 90, 92, 94, 96 in column X _0, the adder in the column X ₁ 100, 10
₂ , 104, 106, adders 110, 112, 114, 116 in column X2,
An adder 120, 122, 124, 126 in the X _3. Latch 152,
156, 160 and 162 store the carrier output signals used when generating the next partial product. AND gates modulo conversion unit 60 having an output connected to an input of each adder in the column X ₀ to X ₃ is replaced by the multiplexer in the merged type FM multiplier 171. Although the multiplexer is shown with an output connected to a first input of the adder, alternatively, the output of the multiplexer can be connected to a second input of the adder.

The multiplexer (mux) of the merged FM multiplier 171 has four inputs,
It has one output and two selector inputs. For details, mux 172, 174
, 176, 178 have outputs connected to adders 90-96, respectively. mu
x182, 184, 186, 188 have outputs connected to adders 100-106, respectively. mux 192, 194, 196, and 198 are adders 1 respectively.
It has an output connected to 10-116. mux 202, 204, 206, 208
Have outputs connected to adders 120-126, respectively. Furthermore, mux1
The first selector inputs 72-178 are connected together, and the second selector inputs mux 172-178 are connected together to provide one of the four signals at the four inputs of each mux to the corresponding one of adders 90-96. To the first input. Similarly, mux182-
188 are connected together, and the second selector inputs of muxes 182 to 188 are connected together to output one of the four signals at the four inputs of each mux to the corresponding one of the adders 100 to 106. Transfer to one input. The first selector inputs of muxes 192-198 are connected together, and the second selector inputs of muxes 192-198 are connected together to add one of the four signals at the four inputs of each mux to adder 11
Forward to corresponding first inputs 0-116. The first selector inputs of muxes 202-208 are connected together and the second selector inputs of muxes 202-208 are connected together to add one of the four signals at the four inputs of each mux to adders 120-126.
To the corresponding first input.

Mux 172 to 178, 182 to 188, 192 to 198 and 202 to 208
Of the four inputs are coupled to receive a logical zero value. mux17
A second input of 2 to 178 receives the value of digit B and a third input of mux 172 to 178.
The input receives the value of N. As an example, the digits A ₀ , B ₀ , N ₀ are supplied to a merged FM multiplier 171. Least significant data bits of the digit B _0, i.e. signal B (
Bit 0) is provided to the second input of mux 172. Similarly, the least significant data bit of digit N ₀ , signal N (bit 0), is provided to the third input of mux 172. fourth input of mux172 the bit N ₀ and logic sum of the least significant data bits B _0, that is, receives the signal N + B (bit 0).

The next lower data bit after digit B ₀ , that is, signal B (bit 1)
x174 is provided to the second input. Similarly, the lower the data of the next digit N ₀
A bit, signal N (bit 1), is provided to a third input of mux 174. mux
Fourth input of 174 bits N ₀ and the next lower data bits of the logical sum of B _0, that is, receives the signal N + B (bits) 1. Next data bit of the digit B _0, that is, the signal B (bit 2) is supplied to the second input of Mux176. Similarly, the next data bit of the digit N _0, i.e. the signal N (bit 2) is mux1
76 is provided to a third input. The fourth input of mux 176 receives the logical sum of the data bits next to bits N ₀ and B ₀ , signal N + B (bit 2). Similarly, in this example where the merged FM multiplier 171 performs a 4-bit by 4-bit multiplication,
Most significant data bit of the digit B _0, that is, the signal B (bit 3) is mux17
8 to a second input. Similarly, the top-level data or signals B of the digit B ₀ (bit 3) is supplied to the third input of Mux178. The fourth input of mux 178 is
The logical sum of the values supplied to the second and third inputs of mux, ie, digit N ₀
, To receive the sum of the most significant data bits of B _0. Note that the fourth input of each mux receives the logical sum of the values provided to the second and third inputs of that mux.

The first selector input signals of mux 172-178 are received from latch 212. Latch 212 activates logic circuit 210 when signal T transitions from a logic one to a logic zero value.
Latch the data signal. The data signal generated by the logic circuit 210 is a signal A
Exclusive OR operation of the product of (bit 0) and B (bit 0) with P (0). Here, P (0) is the least significant bit of the previous partial product value. mux 172-1
78 receives the signal A (bit 0) at the second selector input.

The first selector input signals of mux 182-188 are received from latch 216. When the signal T transitions from logic 1 to logic 0, the latch 216 activates the logic circuit 214.
Latch the data signal. The data signal generated by the logic circuit 214 is a signal A
The exclusive OR operation is performed on the product of (bit 1) and B (bit 1) with the total output signal of the adder 92. mux 182-188 provide signal A at the second selector input.
(Bit 1) is received.

The first selector input signals of mux 192-198 are received from latch 220. Latch 220 activates logic circuit 218 when signal T transitions from a logic one to a logic zero value.
Latch the data signal. The data signal generated by the logic circuit 218 is a signal A
It is obtained by performing an exclusive OR operation on the product of (bit 2) and B (bit 2) with the total output signal of the adder 104. mux 192-198 receive signal A (bit 2) at the second selector input.

The first selector input signals of mux 202-208 are received from latch 224. When the signal T transitions from a logic 1 to a logic 0 value, the latch 224
Latch the data signal. The data signal generated by the logic circuit 222 is a signal A
It is obtained by performing an exclusive OR operation on the product of (bit 3) and B (bit 3) with the total output signal of the adder 116. Muxes 202-208 receive signal A (bit 3) at the second selector input.

When the first and second selector inputs receive the individual logical value of 00, mux 172-
The signal of the first input at 178 is transferred to the output of the corresponding mux. When the first and second selector inputs receive the individual logical value of 01, the signals of the second inputs of muxes 172 to 178 are transferred to the corresponding mux outputs. When the first and second selector inputs receive ten individual logical values, the signals of the third inputs of muxes 172 to 178 are transferred to the corresponding mux outputs. When the first and second selector inputs receive 11 individual logical values, the signals of the fourth inputs of muxes 172 to 178 are transferred to the corresponding mux outputs.

According to the architecture of the merged FM multiplier 171, the value of ↓ is determined, and
Note that it can be stored within 12,216,220,224.
In other words, the value of ↓ is not calculated before the multiplication of A and B, the first value of ↓ is determined by the architecture of the merged FM multiplier 171 during the multiplication of the digits A ₀ , B ₀ and the latches 212, 216 , 220, and 224. That is, A ₀ ,
The same multiplication cycle used to calculate the product of B ₀ is used to determine the value of ↓. The first value of ↓ is used during the multiplication of A ₀ with other digits B ₁ -B ₆₃ . The second value of ↓ is latched in the latch 212,216,220,224, used during the multiplication of the digit B ₁ .about.B ₆₃ and A _1. Thus, the new value of ↓ is determined in the multiplication of each digit of A and B _0.

FIG. 6 is a flowchart of a method for determining the value of (R ² mod N) used in the Foster-Montgomery conversion algorithm. Operands A and B of the Foster-Montgomery conversion algorithm have the form (A * R mod N) and (B * R mod N), and are multiplied to generate a product (A * B * R ² mod N). . The product (A * B * R ² mod N) is merged with the value R
The output converted by the FM multiplier 171 (FIG. 5) and generated by the merged FM multiplier 171 has a value of (A * B * R mod N). The generation of the value (R ² mod N) is
The input value of the merged FM multiplier 171 is converted from the initial value of the operand A received via the data host bus (FIG. 3) to the correct form of (A * R mod N), and Required to convert the initial values to the correct form of (B * R mod N). As a result, the initial values of the operands A and B are converted to the Montgomery format. For example, when the operand A is multiplied by the value (R ² mod N) in the merged FM multiplier 171, it has a converted output value and becomes (A * R mod N). Similarly, when the operand B is multiplied by the value (R ² mod N) in the merged FM multiplier 171, this also has a converted output value and becomes (B * R mod N).

FIG. 6 is a flowchart 230 illustrating a method of generating a value (R ² mod N). Value (R ² m
od N) has (R mod N) and an R component. Where R is 2 ¹⁶ * I or 2
To the power of an integer. R is selected as having a size one digit greater than the number of digits representing N. Block 232 illustrates the generation of a variable having an initial value P for the value (R mod N). The value of P is calculated by subtracting the value of R from the value of N. Following the generation of the initial value P, at block 236, the value of P is compared to the value of N. If the P value is greater than the N value, a multiplier A value is calculated at block 240. However, the multiplier A value is the maximum power of two, the N value being multiplied by the P value and still smaller than the P value. At block 242, the value of multiplier A is multiplied by the N value, and the product (A * N) is subtracted from the P value to obtain a new P value. Block 23
At 6, if the N value is greater than the P value, the number of times P has been shifted is
Is shown in When the P value has been shifted by the number of zeros in the least significant bits of R, the calculation is finished and the P value of block 238 is the desired value (R ² mod N). Alternatively, if further shifting of the P value is needed at block 244, P is shifted an integer number of times, as shown at block 234. This integer value is selected as the digit size of the system, and shifting the most significant bit of P with the value "1" to the left an appropriate number of times gives the value R.

The calculation of A shown in block 240 can be performed in two different ways. The first method is to generate A such that the value of A is the largest power of 2 such that the value of N is multiplied by the value of P and still has a value less than the value of P. Second
Calculates A so that it is one less than the integer resulting from dividing the most significant digit of P by the most significant digit of N. In flow chart 230, performing the first method for determining the A value is greater than the second method for calculating the A value, as shown in blocks 236 and 240.
, 242 are executed several times. However, the circuit configuration required for the second method is more complicated than the circuit configuration required for the first method.

FIG. 7 is a block diagram showing the generation of the value (R ² mod N) described in FIG. First, mux 240 transfers the value of R from the first input of mux 240 to the input of subtractor 244. Further, the A value is initially set to 0, so that the multiplier 242 generates the A value at the other input of the subtractor 244. The subtractor 244 inputs a value (RN) to the first input of the mux 246.
Or P (see block 232 of FIG. 6). mux246 is the P value, is the data the 16-digit shift, i.e. to transfer data to 2 ¹⁶ multiplying shift circuit 248 (see block 234 of FIG. 6). Comparator 250 determines that the shifted data is N
Check if it has a value greater than the value (see block 236 in FIG. 6). As an example, the comparator 250 is a subtractor that provides a difference between the P _SHIFTED value and the N value. The comparator 250 may include an exclusive OR gate for comparing the bit width of the P _SHIFTED value with the bit width of the N value.

If the shifted value of P, P _SHIFTED , does not have a value greater than the N value, then transfer the P _SHIFTED value to the second input of _{mux 246} to generate a new P _SHIFTED value. The new P _SHIFTED value has data shifted further 16 digits by shift circuit 248. Each time data is shifted in the shift circuit 248, the comparator 2
Within 50, the new shift value is compared to the N value. If the new P _SHIFTED value has a value greater than the N value, a value (R ² mod N) is generated. mux 240 forwards the new P _SHIFTED value to the first input of subtractor 244. A generated by the multiplier 242
And N are forwarded to a second input of subtractor 244. Where A is the largest power of two integers resulting in the product multiplied by the value of N resulting in a product having a value less than the new P _SHIFTED value. A difference value of (P _SHIFTED -A * N) is generated by subtractor 244 for the desired value (R ² mod N).

An alternative method of determining the value (R ² mod N) includes: ₍₂₎ selecting a value of R having a value such as 2 ⁿ . Here, “n” is an integer. In other words, R is 2 ²
, ²⁴ , 28 ^,. . . , 2 ²⁵⁶ and so on. In the binary representation, the value of R has a logical one for the most significant data bit, followed by a sequence of zeros. The most significant data bit of the binary value of N, the leftmost logical one bit position of N, is matched to a logical zero value adjacent to the logical one of the value of R. The aligned value of N, N _ALIGNED, is subtracted from R to _determine the difference value of R-N _ALIGNED .
The process of matching the left most logic one of the N values to the logic zero value adjacent to the most significant data bit having a logic one value in the difference value is repeated until a value (R mod N) is obtained. In other words, the difference value having a value smaller than the N value is equal to the value (R mod N).

The value (R mod N) is shifted to the left by one bit position, and the N value is changed to the value (R
mod N) gives the value (2R mod N). The value (2R mod N) is used for both operands A and B of multiplier 56 (see FIG. 3). The newly determined value (2 ² R mod N) is used for both operands A and B of multiplier 56 to generate a value (2 ⁴ R mod N) at the output of coprocessor 44. The value newly generated from the coprocessor 44 is repeatedly used as a value for both the operands A and B in generating a new value until the new value has ₍₂₎ 2 ⁿ R mod N). However, ₍₂₎ 2 ⁿ is equal to the value of R. Thereby, a value (R ² mod N) is obtained.

Thus, it can be seen that the present invention provides a high performance, low cost and low power cryptographic multiplication system for construction in an integrated circuit. The Foster-Montgomery hardware accelerator achieves high performance by computing the Foster-Montgomery conversion algorithm and performing large operand multiplications in fewer clock cycles than prior art systems. The method and circuitry are applicable to operands with an increased number of bits.

[Brief description of the drawings]

[Figure 1] Foster-Montgomery Hardware Accelerator (FMHA:
1 is a block diagram of a smart card including a Foster-Montgomery Hardware Accelerator) block.

FIG. 2 is a diagram showing data transferred from an integrated circuit having an FMHA block to the Internet.

FIG. 3 is a block diagram showing functional blocks included in the FMHA block of FIG. 1;

FIG. 4 is a block diagram of a modulo converter.

FIG. 5 is a block diagram of a part of a modulo converter combined with a multiplier used in the FMHA of FIG. 1;

FIG. 6 shows a value (R ² mod) used in the Foster-Montgomery conversion algorithm.
N) is a flowchart 230 illustrating a method of generating N).

FIG. 7 is a block diagram illustrating generation of a value (R ² mod N) illustrated in FIG. 6;

──────────────────────────────────────────────────続 き Continuation of front page (81) Designated country EP (AT, BE, CH, CY, DE, DK, ES, FI, FR, GB, GR, IE, IT, LU, MC, NL, PT, SE ), OA (BF, BJ, CF, CG, CI, CM, GA, GN, GW, ML, MR, NE, SN, TD, TG), AP (GH, GM, KE, LS, MW, SD, SZ, UG, ZW), EA (AM, AZ, BY, KG, KZ, MD, RU, TJ, TM), AL, AM, AT, AU, AZ, BA, BB, BG, BR, BY, CA, CH, CN, CU, CZ, DE, DK, EE, ES, FI, GB, GE, GH, GM, HR, HU, ID, IL, IN, IS, JP, KE, KG , KP, KR, KZ, LC, LK, LR, LS, LT, LU, LV, MD, MG, MK, MN, MW, MX, NO, NZ, PL, PT, RO, RU, SD, SE, SG, SI, SK, SL, TJ, TM, TR, TT, UA, UG, UZ, VN, YU, ZW (72) Inventor Rodney Sea Tesh 85020 Phoenix, Arizona USA 13th Street, Phoenix 7026 (72) Inventor James Douglas Duwalkin Arizona, U.S.A. 85226 Chandler West Shannon Street 6802 (72) Inventor Michael J. Tora, U.S.A. 5301 F-term (Reference) 5B022 AA05 BA04 CA03 CA04 FA01 5B056 AA01 FF01 FF02 FF05 FF16 5J104 AA22 NA18

Claims (10)

[Claims] 1. A data processing system (26) for performing modulo multiplication comprising: a multiplier (5) having inputs (48, 46) for receiving binary data values A and B;
6); an adder (58) having a first input coupled to the output of the multiplier, a second input coupled to receive the partial product, and an output providing a sum value; And a first input coupled to the output of the adder (58), a second input (52) coupled to receive a binary data value N, and (A * B / R mod N). An output providing a data value having a format.
When a predetermined bit position of the sum has a first logic state,
A modulo converter (60) that matches the data value N and adds the binary data value N to the sum to produce the least significant data bit of the reduced value ↓
A data processing system comprising: 2. The data processing system according to claim 1, wherein when all bits of the conversion value ↓ are determined, the data value is converted to a zero value. 3. A smart card (10) comprising: a data bus (15) for transferring data to an output (13) of said smart card.
And coupled to the data bus, multiplying a first digit (A * R mod N) by a second digit (B * R mod N) to produce a product (A * B * R mod N) A coprocessor (26), the product of which is reduced by dividing the product by the value of R during multiplication, where A and B are integer values, and N is an odd integer value in modulo count. And
R is an integer value, and the modulo multiplication is performed based on (↓ * N), where ↓ is a coprocessor (26) determined when multiplying the first and second digits. A smart card. 4. The multiplier (56) coupled to the data bus for receiving the data, the coprocessor (26) receiving the data at a first input (46) of the multiplier. A multiplier (56) comprising: a first operand to be obtained and a second operand received at a second input (48) of the multiplier, the multiplier generating a product from the first and second operands (56); A first input coupled to receive the product, a second input coupled to receive a previous partial product, and an output providing a sum of the product and the previous partial product. A first input coupled to the output of the adder circuit; a second input coupled to receive the binary value N; A module having an output for providing a conversion product. 4. The smart card according to claim 3, wherein the smart card is constituted by: 5. An encryption system (10) for interfacing with the Internet.
A central processing unit (18) having a data bus (15) for transferring data; and a first digit (A * R mod N) and a second digit (B *) coupled to said data bus. R mod N) to generate a product (A * B * R mod N) that is a modulo N converted by dividing by the value of R during multiplication of the first and second digits. An accelerator block (26), where A and B are integer values, N is an odd integer value in modulo counting, R is an integer value, and modulo multiplication is based on the value (↓ * N) And an encryption accelerator block (26) determined when multiplying the first and second digits by an encryption accelerator block (26). 6. The encryption accelerator block (26) is: a multiplier (56) coupled to the data bus for receiving the data, the data being a first input (46) of the multiplier. A) comprising a first value received at a second input of the multiplier and a second value received at a second input of the multiplier, the multiplier generating a product from the first and second values; A first input coupled to the output of the multiplier, a second input coupled to receive a previous partial product, and an output providing a sum of the product and the previous partial product. An adder circuit (58) having a first input coupled to the output of the adder circuit, a second input coupled to receive the integer value N, and a reduced product. A modulo converter (60) having an output Encryption system according to claim 5, characterized in that it is made (10)
. 7. A memory (64) having an input coupled to the output of the modulo converter (60) and an output coupled to the second input of the adder circuit.
The encryption system (10) according to claim 6, further comprising: 8. An input coupled to the data bus for receiving the first value and coupled to the first input of the multiplier to provide a two's negative complement of the first value. The encryption system (10) according to claim 6, further comprising a digit negation unit (42) having an output to output. 9. An architecture for a Foster-Montgomery hardware accelerator (FMHA) (44) on which mathematical operations are performed, comprising: a first and a second combined to receive operands A and B, respectively. The second input (
A multiplier having an output for providing a partial product; a first input coupled to the output of the multiplier; and a first input coupled to receive a previous reduced partial product. An adder (58) having a second input (50) and an output for providing a sum value; and a first input coupled to the output of the adder, and a second input coupled to receive coefficients. An architecture comprising: a modulo converter (60) having an input (52) and an output for providing a reduced partial product. 10. A data bus (41) for transferring data; a first memory coupled to said data bus and storing said operands A and B;
72) having a first input coupled to the data bus (41), and a second input coupled to receive the reduced partial product, storing the reduced partial product; A second memory (64) for providing the previous reduced partial product; and an input coupled to the data bus (41); and an output coupled to the second input of the modulo converter. 10. The architecture of claim 9, further comprising: a third memory (70) for storing the coefficients.